Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 aaf14361ecb0bba5…

MALICIOUS

Office (OOXML) / .XLSX

34.2 KB Created: 2022-04-10 18:34:37 UTC Authoring application: 16.0300 First seen: 2022-04-11
MD5: a60e301af2bf9c738d59bfa4182d37f9 SHA-1: d8b8d68eba5a67fc384b22edb3a6a1ced02f2e87 SHA-256: aaf14361ecb0bba536581cee0f7f69f5a18501794a943780c2c9b85c834b49a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer

The sample is an OOXML file containing VBA macros. The critical heuristic firing indicates the presence of URLDownloadToFile, a function commonly used to download and execute malicious payloads. The VBA script itself contains structures for process creation and manipulation, further suggesting it's designed to download and run a secondary stage. The document body text appears to be obfuscated or random strings, likely to evade basic content analysis.

Heuristics 3

  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA project inside OOXML medium OOXML_VBA
    Document contains vbaProject.bin — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
1425ed953b78547fe3ce5ec4436c67123961d2ae409e8db5b93460e1a721a3bf		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 10628 bytes
vbaProject_00.bin
0ad6287b0d2bc1be1c6d0698eece27625093db19ff0d0627ebd202f7dc1bb418		 vba-project OOXML VBA project: xl/vbaProject.bin 37376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.